CVE-2020-37172 HIGH

CVE-2020-37172: AVideo Platform 8.1 - Cross Site Request Forgery (Password Reset)

Vendor Avideo

Product AVideo Platform

Weakness CWE-640 · Weak password recovery

Published February 11, 2026

Last update February 12, 2026

View on NVD All CVEs

CVSS base score

8.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user's recovery token to change account credentials without authentication.

Key dates

02Disclosure timeline

February 11, 2026 CVE published

February 12, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-37172

Related vulnerabilities

04Related CVE

CVE-2025-52560 Kanboard Password Reset Poisoning via Host Header Injection CVE-2025-62709 ClipBucket v5 is vulnerable to password reset link manipulation CVE-2025-61977 AutomationDirect Productivity Suite Weak Password Recovery Mechanism for Forgotten Password CVE-2025-53373 Natours has a 1 Click Account take over on reset password via Host Header injection CVE-2023-53958 LDAP Tool Box Self Service Password 1.5.2 Account Takeover via HTTP Host Header